apple-bridges
Fail
Audited by Gen Agent Trust Hub on Apr 29, 2026
Risk Level: HIGHDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The skill provides comprehensive access to private data across Apple Reminders, Calendar, Contacts, Notes, and Mail. Using the
mail-bridge sendcommand with the--forceflag, an agent can send this data to external recipients without triggering a UI review window, creating a significant exfiltration vector. - [COMMAND_EXECUTION]: The
tmux-bridge writecommand allows the agent to send arbitrary text and keystrokes to any active tmux terminal pane. This capability enables the agent to execute any shell command, including those with elevated privileges if the terminal session is already authenticated or usessudoas suggested in the documentation. - [DATA_EXFILTRATION]: Multiple bridge tools (
mail-bridge,notes-bridge,tmux-bridge) allow reading sensitive content such as email bodies, private notes, and terminal scrollback buffers, exposing credentials, private conversations, and system configuration to the agent context. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests untrusted data from multiple sources (emails, notes, terminal output) and possesses powerful write capabilities. 1. Ingestion points:
mail-bridge read,notes-bridge read,tmux-bridge read. 2. Boundary markers: The skill lacks explicit instructions for the agent to use delimiters or ignore embedded instructions when processing content from these bridges. 3. Capability inventory: The agent can send emails (mail-bridge send --force), execute terminal commands (tmux-bridge write), and modify personal records across all supported Apple apps. 4. Sanitization: No sanitization or validation logic is specified for the data retrieved from external Apple apps before it is processed as natural language instructions by the agent.
Recommendations
- AI detected serious security threats
Audit Metadata